The CryptoServer SQLEKM provider exposes basic authentication to the SQL Server using username/- password pairs. These pairs are stored in so-called credentials that need to be created per EKM provider. Finally, a credential is mapped to an SQL server login.
If a logged in user wants to access a certain EKM provider the credential mapped to both the login and the EKM provider is looked up and the username/password is passed to the EKM provider. The CryptoServer SQLEKM provider uses this information to perform login on the CryptoServer.
Figure 1 : Credential mapping
The same credential can be used for multiple SQL server logins. Also, a login can be used with multiple credentials as long as the EKM providers are different. Otherwise the lookup shown before will fail.
The following SQL will create a credential
csekm
for the CryptoServer user
sqlekm
with the
password
utimaco
.
SQL Statement
CREATE
CREDENTIAL csekm
WITH
IDENTITY =
'sqlekm'
, SECRET =
'utimaco'
FOR
CRYPTOGRAPHIC PROVIDER utimaco
Creating a CryptoServer user need to be done either via csadm or the CAT Administration. For detailed information refer to chapter 4.14.1 of the CryptoServer Manual Systemadministrator.
Use the following SQL statement to map the credential to any SQL Server account. You can for example substitute <user> with an integrated account like sa or an Windows account like [DB1\Administrator] .
SQL Statement
ALTER LOGIN <user> ADD CREDENTIAL csekm